2 Crown copyright 2011 You may re-use this document (not including logos) free of charge in any format or medium, under the terms of the Open Government Licence. To view this licence, visit ;or write to the Information Policy Team, The National Archives, Kew, Richmond, Surrey, TW9 4DU; or Any enquiries regarding the content of this document should be sent to Page 2 of 35

3 CONTENTS 1. Introduction What is the purpose of this guidance? How do I use this guidance? Who is this guidance for? Understand risks to digital continuity What do we mean by risks to digital continuity? Why manage risks to digital continuity? Establish a framework for managing risks to digital continuity Roles and responsibilities for the management of risk Objectives Scope Process Risk identification process Risk analysis Controlling risk Recording risk Monitoring and reviewing risk Assurance Incident reporting and management Carry out a digital continuity risk assessment Identify risks to digital continuity Governance Alignment of information assets, business requirements and technology Business or technological change Risks to information assets Create an action plan for mitigating risk Prioritise risks Identify options for risk control Plan and take mitigating action Next steps Further guidance Tools and services Further reading...33 Appendix A: Interviewees...34 Appendix B: Documentation checklist...35 Page 3 of 35

4 1. Introduction Digital continuity is the ability to use your information in the way you need, for as long as you need. If you do not actively work to ensure digital continuity, your information can easily become unusable. Digital continuity can be put at risk by changes to your organisation, management processes or technology. You need to manage your information carefully over time and through change to maintain the usability you need. Managing the risks to digital continuity protects the information you need to do business. This enables you to operate transparently, accountably, legally, and efficiently. It helps you to protect your reputation, make informed decisions, avoid and reduce costs, and deliver better public services. If you lose information because you haven't managed your digital continuity properly, the consequences can be as serious as those of any other information loss. 1.1 What is the purpose of this guidance? This guidance forms part of a suite of guidance 1 that The National Archives has delivered as part of a digital continuity service for government, in consultation with central government departments. This guidance provides you with practical information and support to help you assess and manage risks to digital continuity, which is Stage 3 of our four-stage process of managing digital continuity. 2 We recommend that you follow the four-stage process in order, however you may wish to start here with Stage 3. See the diagram below for the steps in Stage 3: Assess and manage risk. This guidance covers the first steps in Stage 3 create a framework for managing risk (see section 3 below), carry out a risk assessment (see section 4 below) and mitigate risk (see section 5 below). For information on restoring continuity that has already been lost, see our guidance on Managing Digital Continuity Loss. 3 Finally, for more on identifying savings and 1 For more information and guidance, nationalarchives.gov.uk/digitalcontinuity 2 See Managing Digital Continuity nationalarchives.gov.uk/documents/informationmanagement/managing-digital-continuity.pdf 3 See Managing Digital Continuity Loss nationalarchives.gov.uk/documents/informationmanagement/managing-digital-continuity-loss.pdf Page 4 of 35

5 efficiencies, see our guidance What Does Digital Continuity Mean for You? An Overview of the Benefits How do I use this guidance? You can use this document in two ways. For a comprehensive view of the principles and process of assessing and managing risks to digital continuity (in particular, if you are coming to this guidance without having undertaken Stages 1 and 2 of managing digital continuity), read the following sections in order. Alternatively, the guidance can be used as a handbook to support the practical application of these principles in this case, go directly to the section relevant to you. If you have undertaken the first stages of managing your continuity, for instance, you may want to skip to section 4, to carry out your risk assessment. 4 What Does Digital Continuity Mean for You? An Overview of the Benefits nationalarchives.gov.uk/documents/information-management/an-overview-of-the-benefits.pdf Page 5 of 35

6 1.3 Who is this guidance for? This guidance is aimed at anyone involved in undertaking a digital continuity risk assessment. This could be information managers, risk managers, Information Asset Owners (IAOs) or project and change managers. As risks to digital continuity are information risks, the findings of the risk assessment will also be reported to your Senior Information Risk Owner (SIRO) or equivalent board-level owner of information risk. For more on the people who will need to be involved in carrying out a risk assessment, see section 3.1 of this document. See more on the roles and responsibilities that your organisation will require to ensure the digital continuity of your information in Managing Digital Continuity. 5 5 See Managing Digital Continuity nationalarchives.gov.uk/documents/informationmanagement/managing-digital-continuity.pdf Page 6 of 35

7 2. Understand risks to digital continuity 2.1 What do we mean by risks to digital continuity? Unless you actively manage your digital information you may find yourself unable to use it in the way that you need or for as long as you need: this is a loss of digital continuity. You need to understand the factors that could cause this so that you can take appropriate measures to prevent it. Digital information is vulnerable at times of change: this could be a single, defined change event, or the cumulative result of small changes that occur over time. Digital information is also complex you may not fully understand what you need from your information or how these needs are met (for example, how your technology supports you in using information). This puts you at risk of a failure of digital continuity. A failure of digital continuity will be experienced as an inability to find, open, work with, understand or trust your information. The causes of these failures are wide-ranging. You may be at risk if: there are gaps in your information governance structures there are gaps in your information management policies and practice your change management, technology management and information management processes are not effectively integrated. See section 4.1 for full details of these risks to the continuity of your digital information. 2.2 Why manage risks to digital continuity? Imagine if: you couldn t find information for a public inquiry you couldn t claim emergency financial assistance because your financial data is buried in out-of-date software you couldn t pay pensions because you lost the metadata connecting people to the contributions they d made you needed records of decisions for legal compliance, but had no way of telling if you were looking at the final version of documents. Page 7 of 35

8 If you do not understand and manage the risks to the continuity of your digital information, you may be unable to protect your information appropriately or to exploit it fully. This will affect your ability to meet your business needs. If you manage digital continuity, you will have confidence that the information you need to operate transparently, maintain public confidence in your organisation and protect your organisation s reputation can be found, that is complete and in context and that it is trustworthy. You will be able to account for your organisation s actions and decisions. You must ensure you manage your digital information appropriately and to an auditable standard, in line with statutory and legal requirements and best practice guidelines. You must also report and manage digital continuity incidents and include in them in your annual Statement on Internal Control. The National Information Assurance Strategy 6 requires government to ensure its information is protected and available as needed and the supporting Information Assurance Maturity Model (IAMM) 7 includes assessing and managing risks to digital continuity in line with your other information risk management procedures. 6 National Information Assurance Strategy _strategy.aspx 7 See Page 8 of 35

9 3. Establish a framework for managing risks to digital continuity Before you carry out a risk assessment, you should establish a framework for managing risks to digital continuity. This defines the process you will follow and identifies the outcomes you wish to achieve. It will help to ensure consistency in the way your risks are identified and managed and will enable you evaluate the effectiveness of the actions you take. To be effective, it is important that your framework is consistent (as far as possible) with the information risk management processes that are already embedded within your organisation. If you have an existing framework for managing information risk, you should extend this to include risks to digital continuity. You also should ensure that your digital continuity risk assessment reports are available to support decision making within your organisation. Your digital continuity risk management framework should do the following: set out roles and responsibilities for managing risks to digital continuity define objectives and success criteria for the process define the scope of your risk assessments describe the process of how risks will be identified, analysed, controlled, recorded, monitored and reviewed consider how you will provide assurance of this process. Your framework may also address incident management. 3.1 Roles and responsibilities for the management of risk Roles and responsibilities for managing risks to digital continuity should be clearly defined. The skills required to effectively manage digital continuity cross disciplines and the following people are likely to have some role in identifying and managing risks to digital continuity. Note that every organisation is different and roles, responsibilities and job titles may vary so you may assign responsibilities differently in practice. 8 The following roles may have a responsibility for risks to digital continuity: 8 See Managing Digital Continuity for more on roles and responsibilities nationalarchives.gov.uk/documents/information-management/managing-digital-continuity.pdf Page 9 of 35

10 Senior Information Risk Owner (SIRO) Information Asset Owner (IAO) Information Management (IM), Information Assurance (IA) and Information Technology (IT) specialists Change or project managers IT suppliers or service providers You should decide who will be involved in the risk assessment and how they will contribute. For instance, your specialists in IM, IA, IT and business change could each lead on separate areas of the assessment to give an organisational view when combined. Your SIRO and IAOs will understand how your organisation s structures and processes support them in managing information risk. Business users and front-line staff can highlight specific concerns or issues that might not otherwise come to light. You should ensure that staff (or external agencies) in these roles understand their responsibilities for the management of risk. You may need to provide training or guidance on what is required of them. See Appendix A for a list of people who you may need to interview for your risk assessment. 3.2 Objectives You should define your objectives for assessing and managing risk to digital continuity. Your own objectives will be specific to your organisation, but we have given some examples below. To enable you to meet the requirements of level 3 of the Information Assurance Maturity Model (IAMM). 9 To provide you with an understanding of risks to the continuity of your digital information assets which will enable you to take properly informed decisions, in line with business objectives, on how to mitigate those risks. To reduce the number of incidents of loss of digital continuity your organisation experiences. 9 See Page 10 of 35

11 To enable you to integrate digital continuity decisions into your wider information management, information assurance, information technology and change management strategies and processes. To provide a risk report which can be used to prioritise action, including when and how to use other digital continuity guidance, tools and services. To reduce the financial impact of losses of digital continuity on the organisation (note: this could also be to reduce reputational or operational impact). To reduce the impact of a specific major change event, such as a change of IT supplier, or a loss of personnel during organisational restructuring. 3.3 Scope You should determine the scope of the risk assessment, in terms of the area of the organisation to be assessed, the information to be considered and the timeframes or risk factors concerned. Note: you may already have defined the scope for your management of digital continuity in Stage 1 of the process. 10 If so, this will help inform the scope of your risk assessments. Organisational unit: You can assess risk at the level of the entire organisation, an individual business unit or a specific project or activity. For government departments, the assessment may also extend to agencies or other related public bodies. Information coverage: This will usually be all the information assets which support the activities of the organisational unit being considered. Alternatively, the scope may be limited to business-critical information, sensitive information, or information held within certain systems, managed by a particular service provider, or in specific formats or media. Timeframe: Your risk assessment will usually consider risks which may arise over the entire lifecycle of your information assets. Remember that risks to information assets can increase over time (for example, as a result of changes to your organisation, personnel, or technology); they can also decrease (for example, as information becomes less sensitive or less critical to your business activities). It may be useful to limit the timeframe considered by the assessment to the duration of a particular project or change activity. 10 See Stage 1: Plan for action nationalarchives.gov.uk/documents/informationmanagement/managing-stage-1.pdf Page 11 of 35

12 Risk factors: You will usually aim to conduct a comprehensive assessment; however you may decide to focus on particular risk factors, for example, your information governance structures, change management processes or technical environment. You may choose to do this because one of these areas is under review or because you believe there is a weakness in a particular area. The level of detail of the assessment will depend upon your business needs. Looking at your objectives in carrying out the risk assessment should help you to establish the most appropriate level of detail to consider. 3.4 Process Define your process for carrying out the risk assessment, setting out how risks will be identified, analysed, controlled, recorded, monitored and reviewed Risk identification process When identifying risks to digital continuity, you will need information from a wide range of people, including those in the roles listed in section 3.1 above. You could approach the risk assessment in a variety of ways. You could: ask individuals for specific information hold interviews to gain a broader understanding of risks and issues run workshops with participants from different business areas choose a combination of these. The workshop approach can be particularly useful for exploring the relationships between your information and your business or how technology supports your information. It can help to highlight good practice and identify gaps, and may also prove beneficial in bringing together specialists from related fields, such as Information Management (IM), Information Assurance (IA) and Information Technology (IT). See Appendix A for a list of staff who may be able to contribute to your comprehensive assessment of risk to digital continuity. You will also need to consult a range of documentation held by your organisation. For example: risk registers Page 12 of 35

13 strategy and policy documents previous assessment reports internal audits, National Audit Office reports or other assurance reporting an Information Asset Register (IAR), or similar database, which your organisation has used to map the relationships between its information assets, business use and technological environment. See Appendix B for a checklist of documents that may help you conduct a comprehensive assessment of risk to digital continuity. Your risk identification process should include measures to enable ad-hoc reporting of information risks as you or your staff become aware of them, to escalate these to the most appropriate person and to ensure that risks identified through this route are recorded and managed Risk analysis Your framework should set out how you will analyse the risks identified during your assessment. The purpose of this analysis is to support you in making judgements about how to manage risks it is not an exact science and it is not necessary to develop highly complex mechanisms for analysing risks to digital continuity. For example: Assess the probability and potential impact of each risk. The probability is the chance that the risk will occur. The impact is a measure of the consequences if it does occur. These are commonly scored on a scale of 1 5. Combine probability and impact scores to give an overall risk priority number. This is commonly done by multiplying the two individual figures. Assess the timeframe in which action may be required a higher score would indicate more immediate action. Timeframe may also be factored in to your risk priority score. You should define a threshold risk priority score, above which you consider a risk to be significant. As part of defining this threshold, you will need to consider your appetite for different types of risk. If you have an existing risk management framework, risk appetite may have been determined at board level for your organisation as a whole. Alternatively, Page 13 of 35

14 tolerances may have been set for individual projects, for example, in a Project Initiation Document. 11 Your risk appetite is a measure of your willingness to accept the type of risk identified (note that an organisation may be prepared to accept different levels of risk for different types of digital information). In determining your risk appetite, you should consider the following: What are your objectives in managing risks? Which types of risk require immediate action? Which can be accepted? What issues have arisen in the past and what were the consequences? How can limited resources be best deployed to minimise risk? Your risk analysis process will enable you to prioritise risks, escalate each risk to the appropriate level, ensure ownership at a sufficiently senior level and identify appropriate and timely action Controlling risk Your framework should set out what actions you will consider to control risks to the continuity of your digital information. Three general categories of action may be appropriate: Risk mitigation This approach focuses on reducing your risk through taking action to decrease either the probability or the impact of the risk. For example: migrating information from an at-risk format to a standardised format would reduce the probability of continuity loss caused by format obsolescence making information publicly available could reduce the operational impact of a loss of continuity of an information asset, since the information content would be recoverable from an external source (such as the internet archive). Risk avoidance You may be able to avoid a risk altogether, for example, by redesigning business processes to reduce reliance on at-risk information, or ceasing to hold the information asset concerned. 11 Project Initiation Document nationalarchives.gov.uk/documents/preservation_pid.pdf Page 14 of 35

15 Risk transfer You could consider transferring risk to a third party. For example, clarifying the contractual responsibilities of your IT service provider may reduce the financial impact of continuity loss if the provider accepts responsibility for managing and restoring continuity. Note that while financial or contractual risks may often be effectively transferred, it is rarely possible for government organisations to transfer reputational or compliance risks Recording risk Once you have identified risks to the digital continuity of your information, you should document these in a formal report. Wherever possible, aim to be consistent with other risk management processes used within your organisation. You risk assessment report template should include the following: Describe each risk, including and the business consequences of a loss occurring. Ensure that risks to digital continuity are also captured in other risk registers where appropriate. Analyse each risk applying the scoring method defined by your framework. You may wish to include high-impact risks to digital continuity in reports to your organisation s audit committee or feed these into your organisation s overall risk improvement report to the audit committee or board. You should also explore whether digital continuity risks with high impact should be quoted in your organisation s strategic risk register Monitoring and reviewing risk Your digital continuity risk assessment process should be iterative and responsive to change. Each risk assessment is a snapshot of the situation at the time it was carried out: over time the risks themselves, their probability of occurrence and their potential impact on the business will change. Your framework should define how often your risk assessment reports must be reviewed to ensure that the risks identified are still current, that any new risks have been documented and that your assessments of probability and impact are still valid. We recommend you do this at least annually, and triggered by significant change events. Page 15 of 35

16 Your framework should define the intervals at which to repeat a full risk assessment. This should be at least every two years, or when the organisation, your information or your technical environment undergo significant change for example, taking on new responsibilities that require information to be used and managed differently; upgrading or changing your IT systems; closing or merging projects and teams. 3.5 Assurance You should put structures in place to provide you with assurance that the framework is being applied, and that your risk management process is effective. For example, staff training, metrics on risks and issues identified in each business area, availability of up-to-date risk registers and issue logs, use of feedback from incident analysis to refine the risk management process. You should develop processes to ensure that the controls identified are put in place rather than simply planned. 3.6 Incident reporting and management You are likely to identify specific incidents of loss of digital continuity during the course of your risk assessment. You should take the following actions. Manage the incident in line with your usual procedures for incident reporting: you should capture it in the appropriate issue logs and include it in your annual statement on internal control. Investigate the cause of the incident. Use this information to identify other information assets that may be at risk from the same underlying factors. Document and manage this risk accordingly. Investigate whether your risk identification and management process was effective. If not, use this information to make changes to your risk management. Investigate whether it is desirable or possible to restore continuity: consider the value of the information to the business, the cost of restoring continuity, whether this could be achieved in a timely way, whether the information could be more cheaply or readily recreated or re-acquired from another source. Plan action accordingly See Managing Digital Continuity Loss nationalarchives.gov.uk/documents/informationmanagement/managing-digital-continuity-loss.pdf Page 16 of 35

17 4. Carry out a digital continuity risk assessment Once you have established a framework for managing risk to digital continuity, you will be able to conduct a risk assessment following the process you have defined, and then write a report based on your findings. This section gives you key areas to explore to help you identify where you are at risk of losing digital continuity. You can work through this areas one by one, or for specific questions you can ask yourself, see our self-assessment tool Identify risks to digital continuity To successfully manage your digital continuity, you should ensure that: continuity requirements are embedded within information governance structures 14 continuity requirements have been defined with an understanding of what information you have, its business use and the technology required to support that use continuity requirements are embedded within change management processes information assets are managed to enable continuity requirements to be met. Examining each of these areas for gaps can help you identify where you are at risk of losing digital continuity. This section describes why these factors are important and how they can impact digital continuity. 13 Our self-assessment tool is now available nationalarchives.gov.uk/documents/informationmanagment/self-assessment-tool.xls 14 See more on defining your continuity requirements in Identify Information Assets and Business Requirements nationalarchives.gov.uk/documents/information-management/identify-informationassets.pdf Page 17 of 35

18 4.1.1 Governance Your information governance structures affect your ability to manage the continuity of your digital information assets. Effective management of digital continuity requires senior ownership and the coordination of resources from across the organisation. Gaps or failings in your information governance structures will leave you exposed to risk. Risk area Indicators of effective management Indicators of risk Roles and responsibilities Effective management of digital continuity requires clearly defined roles and responsibilities, integrated with your wider information governance structures and policies. Without these, your staff and suppliers will not have a consistent understanding of what is expected of them, will lack accountability and will unable to ensure continuity of the information assets for which they are responsible. Your SIRO has appointed a Senior Responsible You do not have clearly defined roles and Owner (SRO) for digital continuity, at the right level, responsibilities for managing digital and with delegated authority to act. continuity. A multi-disciplinary team has been established to take action on managing digital continuity, including skills from the IM, IT, IA and business change functions. Information Asset Owners recognise their responsibilities for maintaining digital continuity and are adequately supported in doing this. You have engaged with your IT service providers and they recognise their responsibilities for managing digital continuity. Your contractual arrangements reflect this understanding. You have not appointed individuals across the organisation to take this forward. You have not made your IT service providers aware of your digital continuity requirements and have not included it in your contractual arrangements.

19 Information management Engagement from your IM, IA and Your policies support managing digital continuity. Your policies do not include measures that IT teams will help ensure that your They cover: what tools to use to capture will enable you to manage digital continuity. policies support maintaining digital information, what information to keep and where, continuity. how to name and describe it, how to secure it, version control, use of systems. Ensure you have well designed Staff are properly trained and understand their Staff do not understand their responsibilities and implemented policies, and responsibilities for managing information. for managing information. ensure people understand and Compliance with policies is high. Compliance with policies is low or staff are comply with them. Policies are reviewed and updated regularly to able to opt out. ensure that they remain effective. Policies are monitored, policies are not reviewed and updated. Change management Digital continuity is at risk during The organisation has a clearly defined change There is no consistent process for change change. Your requirements for management process. management. using information should be Success criteria for change include maintaining The success criteria for change are integrated into your change management processes to ensure that the impact of change on your information assets is assessed and managed. digital continuity. You assess the impact of change on the continuity of your digital information assets. This is done as an integral part of the change management processes. undefined or do not include maintaining digital continuity. You do not carry out digital continuity impact assessments as an integral element of planning for change. Risk management Loss of digital continuity is a key Loss of digital continuity is recognised as a key Loss of digital continuity is not recognised Page 19 of 35

20 information risk which must be corporate information risk. as a key corporate information risk. managed in a systematic and You have a framework for managing information You do not have a framework or effective consistent way. It requires risk. process for managing information risk. appropriate channels for risk reporting and escalation. Risks to digital continuity are managed in line with your other information risks. Risks to digital continuity are not managed in line with your other information risks. Addressing gaps in this area will enable you to manage digital continuity, and will improve the effectiveness of your actions Alignment of information assets, business requirements and technology To manage digital continuity, you need to: know what information you have and where it is understand how you want to use it, now and in the future make sure your technology enables all this and is agile enough to meet your changing requirements. Any gaps in this understanding and alignment place you at risk of losing digital continuity, because you if do not understand your requirements for using information, you will be unable to ensure that they are met. Risk area Indicators of effective management Indicators of risk Information asset management You need a comprehensive understanding of You have a comprehensive register You hold information that is not managed your information assets. Without this (preferably an IAR) of your information as an asset. Page 20 of 35

21 understanding you will be unable to manage risks to your information assets. Every information asset should have a defined owner who is responsible for understanding requirements and ensuring continuity. Remember, you may be dependent on information assets that are owned, produced or managed by another organisation. Understanding business requirements You need to understand what business purpose your information assets serve. Without this you will unable to ensure that you can provide the right level of support for them, enabling them to be found, opened, used, understood, and trusted as required. Technical dependencies assets, covering all information of value to the business. You rely on information that is owned or managed by another organisation but do Your information asset list captures additional fields to help you manage digital continuity (location, risk, formats and business purpose). not have clear processes for assuring their management of this information. You understand where you rely on information owned or managed by third parties and have assurance that its continuity is being managed. You routinely test for continuity. You understand what information your You hold information that has no clear business requires, and how it flows business use. through the organisation. You do not understand what information You have defined your need to find, open, the business requires or how it flows work with, understand and trust each around the organisation. information asset, in order to meet your You are unsure how long you should business needs. retain your information. You have defined how long you need to retain your information. The completeness and availability of your You understand your technical You rely on proprietary formats that can Page 21 of 35

22 digital information is highly dependent on the environment. only be used with specific technology technical environment that supports it. Your technology meets your requirements products. Without the appropriate technology you will be to find, open, work with, understand and You rely on specialist, bespoke or legacy unable to use your information as required to trust your information. systems. meet your business needs. You technology is sustainable and you You use file formats that are at high risk of understand how planned technical technical obsolescence. changes could affect your ability to use You create information that is higly your information in the future. structured or has complex interdependencies, including datasets and databases Business or technological change Digital information is vulnerable at times of change. Change events can affect the alignment of your information assets, and their business requirements and technical environment, leaving you at risk. Changes may be large-scale with impact across your business or technology, but remember that small changes can also have an impact on digital continuity. For example, changes of personnel can leave you unable to find, open, work with, understand or trust your information unless you understand and manage the risks involved. Risk area Indicators of effective management Indicators of risk Change management processes Successfully managing digital continuity Staff understand your change Your change management processes are through change requires your staff to management processes and follow them. not well understood or followed within the understand and apply your change You have processes in place to manage organisation. Page 22 of 35

23 management processes. small-scale or routine changes. Your change-management processes only Staff have the skills to conduct digital cover large projects. continuity impact assessments as part of You do not have enough understanding of planning for change. your information or technology to conduct You have a process for testing for meaningful impact assessments. continuity following change. You do not test for the continuity of information assets following change. Technology change Technology change may occur on an Your technology environment, including You are planning to re-tender your incremental basis as you upgrade your licenses and support contracts, is likely to commercial ICT services (within the next systems or as the formats and software be stable for the next two years. You can t two years). products you use become unsupported. foresee any major end-of-lifecycle You do not understand the development Change may also be dramatic, such as changing your IT suppliers or undertaking large-scale systems development or architecture projects. Any technology change may impact your ability to find, open, work changes. You understand the roadmaps for the technology you use, and have plans in place to manage any transitions. roadmaps for IT products you rely on. You do not have exit strategies in place for systems that are approaching the end of their life. with, understand or trust one or more of your information assets. Organisational change Organisational change may occur on an You do not expect to undergo significant You expect to undergo a change of incremental basis as staff leave the organisational change within the next two organisational function (such as a organisation or projects come to an end. years. Machinery of Government change). Page 23 of 35

24 Change may also be dramatic, such as a You understand the routine changes that You plan to restructure the organisation or transfer of functions between organisations will occur (staff turnover, projects undertake an activity that will result in a following Machinery of Government change. beginning and end) and have processes in loss of staff skills and knowledge and new place to manage the continuity of your business requirements for your information through these transitions. information. You are aware of legislative or regulatory changes that will affect the way you record, handle, analyse or share information Risks to information assets The factors above will usually have a wide-ranging effect on your ability to manage digital continuity. However, individual information assets may also be at risk from specific changes that will affect your ability to find, open, work with, understand and trust them. The following risks may be assessed for a specific information asset, or may be used to give you a more general assessment of risk to the continuity of your digital information assets. Find Indicators of effective management Indicators of risk Maintaining your ability to find information Staff understand where to keep There are no defined locations where staff over time and through change relies on it information. It is held in defined locations, should keep information, and no defined being where it should be, being searchable accessible to anyone with a business criteria for what information should be and with appropriate access permissions. If need to find it. kept. these factors are not actively managed you Your information has the appropriate Information is held in boxes, Page 24 of 35

25 risk being unable to find your information metadata to make it discoverable by archives, on local hard drives and when you need it. This is a failure of digital search (for example, meaningful title, removable media. continuity. subject, dates, author). Information is held in unmanaged network Your information is covered by your drives. search tools. These are well-configured Your files are not meaningfully named and and usable. do not have metadata that supports Your search tools return a manageable searching. number of results, allowing the information Your search tools do not cover all being sought to be identified. locations where information may be held. You hold duplicate information. Your search tools are difficult to use, or staff lack the necessary training. Open Maintaining your ability to open information Off-line information can be physically Information is held on removable media over time and through change relies on being retrieved in a timely and cost-effective such as disks or tapes. able to obtain it in a timely manner. You need manner, with appropriate access controls. You do not test for continuity regularly or the correct technology and access rights. If The integrity of your digital information is following change. these factors are not met you risk being unable to open your information when you need it. This is a failure of digital continuity. managed; you have processes to check that that your files are not corrupt. You manage access controls, passwords Staff are able to apply passwords or encrypt files as they wish. Passwords and encryption keys are not centrally and encryption keys to ensure that you managed. can open your information when required. Staff are able to use unsupported software You understand the technical to create files, licences are not managed. Page 25 of 35

26 dependencies of your information, and You rely on bespoke or legacy systems maintain the required hardware and which are difficult to support, or are a poor software environment. fit with your corporate infrastructure. You do not rely on bespoke, legacy or unsupported information systems. Your information is held in standardised formats with a high degree of interoperability. Work with Maintaining your ability to work with Your information is in formats and Your information is siloed, it is difficult to information over time and through change systems that support how you need to use combine, manipulate or re-purpose it. relies on it being held in formats and systems it (for example, information can be read, You do not understand how linked or that allow it to be used or re-used as you edited, saved. Data can be queried, embedded documents are used, or how require. You will also need access to the combined, manipulated, reported on or your systems support these. necessary technology or tools. Without this you risk being unable to open your information when you need it. This is a failure of digital continuity. exported as required). You maintain the completeness of your information through managing links or relationships between information. You You do not understand the range of formats you hold, or what technology is required to open and work with these. can identify all related material and bring it together when needed, even when it is held and managed separately. You understand what tools are required to support this use, and your technology planning process ensures that they will be Page 26 of 35

27 available. Understand Indicators of effective management Indicators of risk Maintaining your ability to understand your information over time and through change The information in the asset is subject to a classification scheme (e.g. a file plan) Your information is not categorised or labelled. relies on it being in the right place, complete and adequately described. Staff complete descriptive metadata and assign meaningful file names. Your systems do not allow metadata to be assigned. Staff do not recognise the value You have a defined version control system that is used by all those creating and of assigning meaningful and accurate metadata. editing information within the information asset. You hold multiple versions of the same information. It is not clear which is the You have a process to ensure that relationships between information are maintained. current or definitive version. Trust Indicators of effective management Indicators of risk Maintaining your ability to trust your You understand what audit or provenance You are unable to set or enforce access information relies on understanding where it information you need in order to trust your restrictions on access to your information, came from, how and when it was used or information. Audit records are held and or staff do not understand how and when changed and by whom. Trust also depends managed appropriately. You can analyse to do this. on knowing which version of your information is current, and on understanding data quality audit trails when required. You keep a record of the way information Your access control mechanisms lack the required granularity. and accuracy. The level of trust you need in your information will vary depending on what is accessed, used and changed. For example, through version control or You are unable to audit access and use of your information or you can not analyse Page 27 of 35

28 you need to do with it, eg information that may through maintaining a record of access to audit trails. be used as evidence will have more rigorous information. You hold multiple versions of the same trust requirements than other material. Access rights to information are information. controlled. Your information is not accurately You have a forensic readiness policy and described to indicate its purpose, source process for managing the continuity of or history. your forensic evidence information. You do not have processes in place to manage the continuity of audit and logging information and do not manage these data types as information assets in themselves. Page 28 of 35

29 5. Create an action plan for mitigating risk Once you ve identified your risks and put them into a report, you should create an action plan for mitigating them. 5.1 Prioritise risks Prioritise the risks you ve identified according to their probability, impact, timeframe and whether they fall within your risk appetite. This prioritisation will enable you to identify those risks that require mitigating action. Accept lower priority risks, but monitor them to ensure they remain within your risk appetite. 5.2 Identify options for risk control For any particular risk to the continuity of your digital information, there may be a range of possible risk-reduction actions. These will often be focussed around reducing the probability of the risk, but may also be aimed at reducing the potential business impact, avoiding the risk or transferring it (see section for more information about approaches to controlling risk). For each risk, identify the possible options and assess their probable effectiveness, along with the cost and ease of implementation. Remember, a combination of actions may be required to achieve the required degree of mitigation, and it may not be possible to mitigate the risk fully. Identify actions which are dependent on third parties (for example, your suppliers) this may affect the cost of the action, and the degree of control you have over progress or outcomes. In certain circumstances, you will not be able to identify appropriate or cost-effective action to control the risk, or to control it to the required extent. In this situation undertake contingency planning to enable you to respond to any issues that arise. This may include identifying measures to reduce the impact of the issue, identifying resources, or developing communications strategies. Page 29 of 35

30 5.3 Plan and take action For each risk to be controlled, you should do the following: 1. Describe the action(s) to be taken. Document why you have selected this course of action and identify the expected outcomes. 2. Determine how to measure whether the desired outcome has been achieved. Note that for successful management, both the risk and any action must be owned and approved at the appropriate level. 3. Assign responsibility for implementation, allocate resources and identify timescales for action. 4. Monitor the progress of actions and test their effectiveness, using the measures already identified to assist you. Remember, the probability and impact of the risk may change as actions progress: it will be necessary to reassess these and to intensify or relax mitigation measures as necessary to bring the risk within acceptable limits and keep it there. 5. Ensure that you learn from monitoring the effectiveness of the action you take: Which actions have proved effective in controlling each type of risk? Which types of action is your organisation good at? Where do you require additional support? Page 30 of 35

31 6. Next steps Digital continuity should be embedded into your organisation s information risk policy and risk management processes. You should use the risk assessment to help you develop and maintain a schedule of risks (and mitigations) for each information asset. You should also embed digital continuity into your change management processes. Ensure that a full assessment of the impact of change on the continuity of information assets is conducted as an integral part of your change management process. 15 Your assessment of risk to digital continuity should be repeated at regular intervals. As part of this process you should consider whether continuity has been maintained during the period since the previous assessment. Evaluate the effectiveness of risk-management actions, and assess new risks. 15 See more on change management Change Management for Digital Continuity SROs nationalarchives.gov.uk/information-management/projects-and-work/dc-guidance.htm Page 31 of 35

32 7. Further guidance 7.1 Tools and services Your organisation may already have a range of tools, which it employs in its standard approach to risk management, to help you identify, record and manage risk. For instance, you may have standard templates for documenting risks and developing action plans. You should investigate whether you can use any of these existing tools to support your digital continuity risk assessment. Talk to your corporate management function to find out what s available. Self-assessment tool The National Archives has produced a digital continuity self-assessment tool to help you ask the right questions, identify areas of risk and identify possible mitigation actions. This is available now nationalarchives.gov.uk/documents/information-management/self-assessmenttool.xls File profiling tool (DROID) The National Archives offers a file format identification tool (DROID) which can help you understand the format, volume and ages of the information you hold this can enable you to assess your exposure to the risk of format obsolescence. Reports generated from DROID may also help you to identify opportunities for disposing of redundant information or to identify possible mitigating actions. Find out more about DROID and download our guidance DROID: How to Use It and How to Interpret the Results on our website. 16 You can download DROID directly here: Digital Continuity Framework To support your organisation s management of digital continuity, there is a range of services and solutions available on the Digital Continuity Framework 17 for your organisation to procure. The services available provide expertise in specific areas of information management and information technology. The solutions available cover technology to improve particular areas of the management of your digital continuity, such as data quality. 16 See more on DROID nationalarchives.gov.uk/droid 17 See more information on the digital continuity web pages nationalarchives.gov.uk/dc-framework and go to the Framework on the Buying Solutions website Page 32 of 35

MANAGING DIGITAL CONTINUITY Project Name Digital Continuity Project DRAFT FOR CONSULTATION Date: November 2009 Page 1 of 56 Contents Introduction... 4 What is this Guidance about?... 4 Who is this guidance

Digital Continuity to Support Forensic Readiness This guidance is produced by the Digital Continuity Project and is available from www.nationalarchives.gov.uk/dc-guidance Crown copyright 2011 You may re-use

Information Management Advice 39 Developing an Information Asset Register Introduction The amount of information agencies create is continually increasing, and whether your agency is large or small, if

Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version

PRIORITY RECOMMENDATIONS R1 BIS to elevate the profile of information risk in support of KIM strategy aims for the protection, management and exploitation of information. This would be supported by: Establishing

Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach

Risk Management Policy Effective from 4 July 2015 Version Number: 2.1 Author: Director of Planning Planning Directorate Document Control Information Status and reason for development Revised updating the

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL INTRODUCTION WHAT IS A RECORD? AS ISO 15489-2002 Records Management defines a record as information created,

Documentation for data centre migrations Data centre migrations are part of the normal life cycle of a typical enterprise. As organisations expand, many reach a point where maintaining multiple, distributed

Information Management: A common approach July 2013 Document Control Document history Date Version No. Description Author July 2013 1.0 Final Department of Finance and Services October 2013 1.1 Updated

HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

Open Data Strategy Open Data Strategy v1.2 February 2015 Introduction The amount of data that the public sector holds is continually growing. The data ranges from sensitive personal information held to

Guidance: Roles, Responsibilities & Structures in Successful Public Social Partnerships A guidance document to support appropriate allocation of roles and responsibilities within Public Social Partnerships

EDRMS Migration Project Checklist Use our step-by-step checklist to help you to manage your project and work through each stage of your EDRMS migration. It will help you to manage the migration of your

MARCH 2012 Version 1.10 Strategic Risk Policy Update March 2012 v1.10.doc Document History Current Version Document Name Risk Management Policy Statement and Strategic Framework Last Updated By Alan Till

ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page

Introduction Information Governance Strategy 2015-2018 This strategy sets out the approach to be taken within Children s Hearings Scotland (CHS) to develop a robust Information Governance (IG) framework

2013 2016 South Oxfordshire District Council and Vale of White Horse District Council Risk Management Strategy 2013-2016 1 1 Context 3 SCOPE 3 WHAT IS RISK MANAGEMENT? 3 LOCAL AND NATIONAL DRIVERS 3 Business

Best Value toolkit: Information management Prepared by Audit Scotland July 2010 Contents Introduction 2 The Audit of Best Value 2 The Best Value toolkits 4 Using the toolkits 4 Auditors evaluations 5 Best

July 2013 Foreword In the Autumn Statement 2012 Government announced that it would introduce a package of measures to improve the way regulation is delivered at the frontline such as the Focus on Enforcement

Version 1.0, April 2012 Aim 1. This document presents an assessment model for selecting software, including open source software, for use across Government, and the wider UK public sector. 2. It is presented

9 9 SELECTING A CONTENT MANAGEMENT SYSTEM Selecting a Content Management System Better Practice Checklist Practical guides for effective use of new technologies in Government www.agimo.gov.au/checklists

Digital Archiving Survey Background information Under the Public Records Act 2002 (the Act), public authorities have a responsibility to ensure that digital records under their control remain accessible

Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable

Department for Work and Pensions Departmental Business Continuity Framework Part 2 Working Guides Page 1 of 60 CONTENTS Guide to business impact analysis...3 Guide to business continuity planning...7 Guide

Fraud and the Government Internal Auditor January 2012 Fraud and the Government Internal Auditor January 2012 Official versions of this document are printed on 100% recycled paper. When you have finished

Derbyshire County Council Management Policy Statement The Authority adopts a proactive approach to Management to achieve Best Value and continuous improvement and is committed to the effective management

THE OBLIGATIONS INTERCEPTION OF COMMUNICATIONS CODE OF PRACTICE If you ve been served with a Technical Capability Notice, here are some of things that will be required of you. v 8.3 The obligations the

It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

Introduction to ISO 31000:2009 ISO 31000 was published as a standard in November of 2009. It provides a standard on how risk should be implemented. The intention of ISO 31000:2009 was to be relevant and

Annex 1 TITLE VERSION Version 2 Risk Management Strategy and Policy SUMMARY The policy provides the framework for the management and control of risk within the GOC DATE CREATED January 2013 REVIEW DATE

ANDS Guides Research Data Management Framework: Capability Maturity Guide Introduction The outline set out below shows five levels of attainment or maturity which institutions may achieve in managing their

Migrating digital records A guideline for Queensland public authorities June 2012 Version 1.0 Queensland State Archives Department of Science, Information Technology, Innovation and the Arts Document details

APPENDI A Checklist for assessing conformance with the Public Sector Internal Audit Standards and the local government application note Assessment completed by John Bailey, Head of Internal Audit, Nottinghamshire

Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

Digital Archives Migration Methodology A structured approach to the migration of digital records Published July 2014 1 Table of contents Executive summary... 3 What is the Digital Archives Migration Methodology?...

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT 1 Scope of Internal Audit 1.1 Terms of Reference 1.1.1 Do terms of reference: (a) establish the responsibilities and objectives

IFoA Risk Management Framework 29 February 2016 1.0 Introduction The IFoA has developed a new Risk Management Framework which was implemented in early 2015-16 and which brings together the management of

National Statistics Code of Practice Protocol on Data Management, Documentation and Preservation National Statistics Code of Practice Protocol on Data Management, Documentation and Preservation London: